Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
-
Upload
barnaby-parsons -
Category
Documents
-
view
215 -
download
0
Transcript of Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Stealing Passwords Remotely&
Malware Analysis
PacITProsMay 8, 2012
Bio
Summary
• HTTP & HTTPS Passwords in RAM
• Windows Logon Passwords in RAM
• Java Attacks
• Evading Antivirus
• Malware Analysis Overview
HTTP & HTTPS Passwords in RAM
HTTP Web Login
• HTTP Authentication: Wikipedia
HTTP Web Login
• Password is transmitted over the Internet in plaintext
• Wireshark capture on next slide– Capture login– Statistics, Conversations– TCP tab– Follow Stream (with 13 packets)
Using HxD Freeware
Password Found
HTTPS Web Login
Password Found!
Windows Logon Passwords in RAM
Windows Login Password
Not Found
• Windows doesn’t store login passwords in cleartext in RAM
Windows Credential Editor
Written by Hernan Ochoa, 2011
Passwords are Encrypted
• But the Keys are in RAM
Java Attacks
This Attack is Not Counted in Those Graphs
• The attack I am demonstrating does not rely on any of those vulnerabilities
• This is Java operating as intended• Works on fully updated Java• No patch can be expected
Social-Engineer Toolkit
• In BackTrack Linux
User Sees This Warning
Stolen Password!
Evading Antivirus
Effectiveness of AV Evasion
Countermeasures
• Disable Java• Don’t use Adobe products• Antivirus helps some• Antivirus + Deep Freeze helps a LOT• BUT DON’T TRUST ANY COUNTERMEASURE
– They are all easily bypassed
Malware Analysis
Techniques
• Basic Static Analysis: File, Strings, and AV• Basic Dynamic Analysis: RegShot, Wireshark,
Process Monitor, LordPE• Advanced Static Analysis: IDA Pro• Advanced Dynamic Analysis: Debuggers (not
included in this talk)
Basic Static Analysis
Harvesting Malware from Packet Captures with Wireshark
Save As
File
Strings
Basic Dynamic Analysis
Run Malware in a Virtual Machine
Process Monitor
RegShot
RegShot Results
Process Monitor Results
Packed Executables
• .exe file lacks readable strings• When executed, the file unpacks itself into
RAM and runs there• Solution: Analyze the RAM, not the hard disk
file
LordPE
Advanced Static Analysis
IDA Pro
Disassembler
Mind-Boggling Complexity
Skip Details
Module A: Compare, Jump
Module C: Usage Instructions
C Source Code
Solution